[dns-operations] DNS ANY record queries - Reflection Attacks

Phil Regnauld regnauld at nsrc.org
Wed Sep 12 10:57:45 UTC 2012

paul vixie (paul) writes:
> moreover, the definition of the word "identical" is not what one would
> expect. perhaps we should say "vastly similar" rather than "identical".
> one of the things DNS RRL counts is the number of times a negative
> answer is generated, per-client-netblock, per-SOA-apex. these responses
> are not identical but they all flow from the same SOA. another thing we
> count is the number of times a wildcard is used per-client-netblock.

	Thanks for the examples. In my opinion, when one is the authority,
	DNS RRL makes a lot of sense: "I've sent nearly identical answer
	a statistically sufficient number of times to be certain that a
	legitimate requestor should have received it" is good enough for me :)

	I do wish we had similar knobs in NSD (I thought version 3 was going
	to offer that) - http://www.nlnetlabs.nl/downloads/NSD_DenicTechnical.pdf,
	but that's from 2009.

> these responses are in no way identical but we treat them as such for
> the purpose of rate limiting. these are things i do not think a firewall
> can do unless it's so DNS-aware that it knows where the apex is, knows
> what names exist, and knows what wildcards exist. (more on that in my
> response to colm's thread.)

	It's not really a firewall at this point, it's a distributed DNS server
	with an aggressive query filter in front of it. It's part of the
	application, really.


More information about the dns-operations mailing list